Experts: Utilities need 'security conscience'

Implementation: weak link in cyber security?

As is often the case in utility security discussions, the focus tends to be on how to think about security, rather than specific measures.

The obvious point is that specific measures must be kept under wraps. The less obvious point is that the weak link in applying security measures does tend to be people, and how they think about security.

That's not to say that there aren't technical hurdles that can be discussed. I offer here a few insights from a good discussion I overheard last week on both security-related technology and the development of a security culture.

According to Patrick Miller, CEO, EnergySec, and a principal investigator for the National Electric Sector Cybersecurity Organization, data privacy, cryptography and software patching have all become difficult challenges as endpoints on the grid proliferate and the "attack surface" expands.

"Isolation remains a fantastic approach," Miller said in a recent webinar held by Pike Research. "But don't count on it."

(For one thing, isolation is increasingly impossible to achieve, due to digital interconnectedness.)

In the big picture of "turbine to toaster," "we're entering a state of 'hyper-embeddedness,'" Miller said. "We're adding too many devices, too fast.

"Innovation versus security is a big issue," Miller added. "Innovation takes us forward, but security falls by the wayside. It's not that it's impossible, it's just that we're moving too fast.

"Not all vendors are created equal," he cautioned. "Consider using your security specifications and demanding them from your vendor. At least you'll know where you stand."

Miller added that "fast regulation is bad regulation."

"We're looking at 51 bar fights as the Federal Energy Regulatory Commission," he said, "as FERC wants to regulate down into the distribution system."

In the case of the North American Electric Reliability Corporation's Critical Infrastructure Protections, or NERC CIP, a new version just out begins to draw finer distinctions among definitions it uses, raising concerns that such a move "turns back the clock," panelists said.

Ernie Hayden, managing principal for energy security at Verizon, said in response to a question from moderator Bob Lockhart, a senior analyst at Pike Research, that the industry has "plenty of cybersecurity guidance and standards. We can use what we have and just get smarter on implementation."

That's when the discussion moved to how to think about security.

Hayden said that in security discussions with utilities, he had a strong sense that a common theme in the power industry was avoiding fines for non-compliance with security regulations rather than security itself.

"You need executive leadership to focus on security rather than compliance," Hayden said.

An exclusive focus on cyber security, however, will lead to other security vulnerabilities, Hayden said.

"I've recently seen bad physical security at utilities due to an over-focus on cyber security," Hayden said. "I've seen doors left unlocked."

What's needed is a utility with a "security conscience," a single individual "willing to ask the hard questions," Hayden said.

"One solution to all of this is finding the right people, well-trained people with the right instincts," Miller said. "But finding them and keeping them is a challenge, particularly when it comes to control systems security."

E-Newsletters

One of our most popular newsletters and sister publication of Intelligent Utility magazine, providing innovative commentary plus news updates all pertaining to smart
grid, information-enabled energy, and building a more intelligent utility. Delivered: Each Weekday